“pkill_on_warn” Proposed For Killing Linux Processes That Cause A Kernel Warning | #linux | #linuxsecurity


A new kernel option was proposed today called “pkill_on_warn” that would kill all threads in a process if that process provoked a kernel warning.

Currently when a process triggers a kernel warning there is no impact on that process by default. The Linux kernel does have a “panic_on_warn” option to cause a kernel panic when a warning happens, but pkill_on_warn would be less of an overkill and at least keep the system up and running.

Security researcher and Linux kernel contributor Alexander Popov proposed this new pkill_on_warn option. Popov argued in the patch proposal, “From a security point of view, kernel warning messages provide a lot of useful information for attackers. Many GNU/Linux distributions allow unprivileged users to read the kernel log, so attackers use kernel warning infoleak in vulnerability exploits…Let’s introduce the pkill_on_warn boot parameter. If this parameter is set, the kernel kills all threads in a process that provoked a kernel warning. This behavior is reasonable from a safety point of view described above. It is also useful for kernel security hardening because the system kills an exploit process that hits a kernel warning.

This wouldn’t change the default kernel behavior but if/when the patch is merged, booting the kernel with pkill_on_warn=1 would enable this new behavior to kill processes causing kernel warnings.

The proposed patch is currently on the kernel mailing list.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− two = 4